diff --git a/README.md b/README.md
index f51fe8fd..a0df8476 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ You need the following permissions to run this module.
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.0 |
+| [terraform](#requirement\_terraform) | >= 1.9.0 |
| [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |
| [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
diff --git a/examples/basic/version.tf b/examples/basic/version.tf
index 9badb28b..3fe68a52 100644
--- a/examples/basic/version.tf
+++ b/examples/basic/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
ibm = {
diff --git a/examples/complete/version.tf b/examples/complete/version.tf
index 45c8d81f..6f39952e 100644
--- a/examples/complete/version.tf
+++ b/examples/complete/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
# module's version.tf (basic example), and 1 example that will always use the latest provider version (complete example).
diff --git a/examples/fscloud/version.tf b/examples/fscloud/version.tf
index 8ab45aae..b417a942 100644
--- a/examples/fscloud/version.tf
+++ b/examples/fscloud/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
ibm = {
diff --git a/main.tf b/main.tf
index dc3e6bf2..a0ac1724 100644
--- a/main.tf
+++ b/main.tf
@@ -3,17 +3,6 @@
##############################################################################
locals {
- # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
- # tflint-ignore: terraform_unused_declarations
- validate_kms_values = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? tobool("When passing values for 'kms_key_crn' or 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise unset them to use default encryption.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_kms_vars = !var.use_ibm_owned_encryption_key && var.kms_key_crn == null ? tobool("When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_backup_key = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_backup_key_2 = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? tobool("When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'.") : true
-
- # If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn' and perform validation of 'kms_key_crn' to check if region is supported by backup encryption key.
# If 'use_ibm_owned_encryption_key' is true or 'use_default_backup_encryption_key' is true, default to null.
# If no value is passed for 'backup_encryption_key_crn', then default to use 'kms_key_crn'.
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index ca8e0e6e..1a63b50a 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -13,7 +13,7 @@ The IBM Cloud Framework for Financial Services mandates the application of an in
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.0 |
+| [terraform](#requirement\_terraform) | >= 1.9.0 |
| [ibm](#requirement\_ibm) | >=1.70.0, <2.0.0 |
### Modules
diff --git a/modules/fscloud/version.tf b/modules/fscloud/version.tf
index 36ba5643..54b13cac 100644
--- a/modules/fscloud/version.tf
+++ b/modules/fscloud/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# The below tflint-ignore is required because although the below provider is not directly required by this submodule,
# it is required by consuming modules, and if not set here, the top level module calling this module will not be
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index 0460e532..94aa96aa 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -9,20 +9,6 @@ module "resource_group" {
existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null
}
-#######################################################################################################################
-# KMS related variable validation
-# (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
-#
-# TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836
-#######################################################################################################################
-
-locals {
- # tflint-ignore: terraform_unused_declarations
- validate_kms_1 = var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_kms_2 = !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
-}
-
#######################################################################################################################
# KMS encryption key
#######################################################################################################################
@@ -317,9 +303,6 @@ locals {
existing_secrets_manager_instance_crn_split = var.existing_secrets_manager_instance_crn != null ? split(":", var.existing_secrets_manager_instance_crn) : null
existing_secrets_manager_instance_guid = var.existing_secrets_manager_instance_crn != null ? element(local.existing_secrets_manager_instance_crn_split, length(local.existing_secrets_manager_instance_crn_split) - 3) : null
existing_secrets_manager_instance_region = var.existing_secrets_manager_instance_crn != null ? element(local.existing_secrets_manager_instance_crn_split, length(local.existing_secrets_manager_instance_crn_split) - 5) : null
-
- # tflint-ignore: terraform_unused_declarations
- validate_sm_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false
}
module "secrets_manager_service_credentials" {
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
index 332d99c1..7197424e 100644
--- a/solutions/standard/variables.tf
+++ b/solutions/standard/variables.tf
@@ -139,6 +139,14 @@ variable "use_ibm_owned_encryption_key" {
type = bool
description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key."
default = false
+
+ validation {
+ condition = alltrue([
+ !var.use_ibm_owned_encryption_key || (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null && var.existing_backup_kms_key_crn == null),
+ var.use_ibm_owned_encryption_key || (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null)
+ ])
+ error_message = "If ibm owned encryption is used then existing_kms_instance_crn and existing_kms_key_crn should be null. If not, 'existing_kms_instance_crn' or 'existing_kms_key_crn' or 'existing_backup_kms_key_crn' should be specified"
+ }
}
variable "existing_kms_instance_crn" {
@@ -263,6 +271,11 @@ variable "existing_secrets_manager_instance_crn" {
type = string
default = null
description = "The CRN of existing secrets manager to use to create service credential secrets for Databases for Redis instance."
+
+ validation {
+ condition = (length(var.service_credential_secrets) == 0 || var.existing_secrets_manager_instance_crn != null)
+ error_message = "'existing_secrets_manager_instance_crn' should be provided if there are 'service_credential_secrets'"
+ }
}
variable "existing_secrets_manager_endpoint_type" {
diff --git a/solutions/standard/version.tf b/solutions/standard/version.tf
index b57af225..4b089417 100644
--- a/solutions/standard/version.tf
+++ b/solutions/standard/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
# Lock DA into an exact provider version - renovate automation will keep it updated
required_providers {
ibm = {
diff --git a/variables.tf b/variables.tf
index d778b26d..f51fecae 100644
--- a/variables.tf
+++ b/variables.tf
@@ -189,6 +189,17 @@ variable "use_default_backup_encryption_key" {
type = bool
description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data."
default = false
+
+ validation {
+
+ condition = alltrue([
+ !var.use_ibm_owned_encryption_key || (var.kms_key_crn == null && var.backup_encryption_key_crn == null),
+ var.use_ibm_owned_encryption_key || var.kms_key_crn != null,
+ (var.use_ibm_owned_encryption_key || var.backup_encryption_key_crn != null) || (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups),
+ (var.use_ibm_owned_encryption_key || var.backup_encryption_key_crn == null) || (!var.use_same_kms_key_for_backups)
+ ])
+ error_message = "If IBM owned encryption is used then 'kms_key_crn' and 'backup_encryption_key_crn' should be null. If not, 'kms_key_crn' should be provided and if 'backup_encryption_key_crn' is not provided 'use_same_kms_key_for_backups' or 'use_default_backup_encryption_key' should be true.If 'backup_encryption_key_crn' is provided then 'use_same_kms_key_for_backups' should be set to false"
+ }
}
variable "kms_key_crn" {
diff --git a/version.tf b/version.tf
index 6a6163ae..5cfc2b71 100644
--- a/version.tf
+++ b/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
ibm = {
source = "IBM-Cloud/ibm"